12.7.22 – CI – Felicia King
ITSPs must try to help clients make informed, smart decisions about protecting their organization from cybersecurity threats.
Some clients decline security services. When they do, it’s natural for us to feel some disappointment. However, we also have a responsibility to ourselves and our clients. My first step is to try to educate the client about why I’m providing the service and how it can help them. If I’m able to get them onboard, then we can move forward with the service. If not, then it’s possible that our relationship will not be able to continue.
At the end of the day, we must protect ourselves as IT service providers (ITSPs). Likewise, we have a responsibility to those clients who are conducting themselves in an operationally mature, secure way.
Cybersecurity Insurance Compliance
The biggest challenge we see when clients decline security services is them not understanding the requirements themselves. They might think that their organization is small enough that there’s no need for them to have cybersecurity insurance; however, in reality, every single business out there has requirements.
The thing that feeds into the decline of security services is the existence of two pressure points: One centers on the actual cybersecurity insurance requirements themselves for the client’s organization; the other centers on the requirements upon the IT service provider itself — namely, the documentation and proof of compliance with those requirements.
Executive Management Must Understand the Value
The best way to attain client buy-in is to show them the value of security-awareness training. Clients who decline security services often do so because they don’t see the value. If you can convey the value of your security-awareness training, however, you might be able to convince them otherwise.
When clients decline security-awareness training, phishing testing and training, it’s important to remember that those programs are required on all cybersecurity insurance applications. They are inexpensive to implement, and the majority of breaches are coming through end-user e-mail infection or web-infection vectors.
If your clients are concerned about a lack of productivity due to time spent on security-awareness training, we must communicate how this small amount of time will save them money and, in the long run, make them more secure. If you can’t convince them to do it, I would ask some simple questions: What is your biggest concern? Where is your focus? Then, try to address that concern head on.
When Clients Do Not Prioritize IT and Security Services
You’re attempting to put the client in a position to make an informed decision. Unfortunately, the biggest problem we see out there is a lack of making the time for ongoing business planning, business risk management and discussions with the IT service provider. We see actually most organizations not making the time for those discussions.
Clients are busy. They have a lot on their plates, and they don’t always prioritize communicating with their ITSP. Sometimes, they think that they’re not going to make time for that until their ITSP has 100% of their outstanding tickets or projects completed. The reality, however, is that, like everything else in life, there’s never a suitable time to do it. Clients continue to procrastinate, and, as a result, they end up risky, uninformed business decision-makers.
They might see meeting with their ITSP as a distraction from the “more urgent” issues on their plate; alternately, they might think that “this is not a big deal” and can be handled later. Unfortunately, there is always going to be something else that looks like it is a higher priority — but those important, not-urgent issues eventually do become critical…and perhaps significantly more expensive.
In order to get clients onboard with security services, we must be partners to our clients’ organizations — not just vendors providing services that they either don’t understand or don’t see the value in. We work with them so that, when the time comes for them to make decisions about protecting their data or network, they can easily understand how our security services will help them achieve their goals. That empowers us to take advantage of opportunities that come along with those decisions.
Shifting of Liability
When a client declines security services, we’re left with a few options. We can give them the service they need and shift liability onto them, or we can decline to provide them with our services. It’s not as simple as not wanting to do business with them anymore; rather, it’s that the ITSP has a liability risk profile associated with simply having that business or organization as a client.
If they don’t have access control, if they haven’t implemented multi-factor authentication (MFA) in all appropriate places, if they aren’t using encryption correctly…I would do my best to try to educate them as to why that is unacceptable. Their cybersecurity insurance does not allow it; neither does our auditing-compliance requirements that are put upon us as an MSP. Therefore, when a client declines security services, we must shift liability onto them. This means that it’s their problem, not ours, if their data is compromised. We can try to educate our clients about why this is not safe and how it violates our compliance requirements or insurance policies, but, ultimately, they have the final say in what happens with their own data.
Letting a Client Go
When you’re an MSP, your goal is always to help your clients stay as safe as possible. And, sometimes, that means refusing to work with them if their practices aren’t up to par. This is why, before I turn clients away, I always try to educate them about why their current setup isn’t acceptable. If they understand what’s at stake and still choose not to invest in cybersecurity measures, so be it — I’ll walk away from the relationship knowing I did everything that I could do.
I’m not trying to sell my clients on security services; rather, I’m trying to help them make an informed decision about whether they want to be in business. The ITSP as a company is not the insurance plan for a client; so, therefore, a client must be a partner in this endeavor of real risk reduction. Sometimes, it means that, when a client declines those security services, we, as the service provider, cannot service them anymore. It’s just that simple.
Felicia King is president of QPC Security (QPCsecurity.com), a member of The ASCII Group since 2021.